NOTE...
At this point, i'm working at the backend, so for see the Session 35 Security go to the repo
Level 1 - Email & password, plain text
The most basic Security level for a webSite is a user and a password, maybe bassed on a email or an alias.
And the user, and the password, are saved as plain text, thats is not good.
Level 2 - Email & password, Encryption
For encryption, we can use the follow package Mongoose encryption
When we use encryption and desencryption, we'll need keys, it's represent a vulnerabilty to cover, for that we can use, Enviroment variables to keep our secret keys safely, for manage that we can use the dotenv package. dotenv
Level 3 - Email & password, Hashing Passwords
Hash the data, it's a most secury way to save the integrity of our data,
for do that we can use, md5 (a hash function, among lots of other hash functions)
md5
Hash function, don't save the input value, save or return the hash produced,
it's mean in the database we don't have the password of the user, we have the
hash function.
A bit hack
The md5 or sha1, are hash function fast to be hacked with
6. OK, you’ve convinced me, I’ll hash the passwords into the database. I’ll use MD5. Or SHA1.
What? No! Both algorithms are ridiculously fast to brute-force, along with many other simple algorithms.
7. Gah, will nothing I do ever be enough?! What are you, my dad?!
We haven’t even gone through the steps of you asking about salting to avoid your passwords being cracked using rainbow tables, but you know what - let’s just skip to the point. Use scrypt or, if you can’t, PBKDF2 or bcrypt, which are algorithms suitable for the task (because they’re impossibly slow to break).
Developers FAQ, about hacking passwords
Level 4 - Email & password, Salting and Hashing Passwords
bcrypt it's a package to use for salting and hash our users passwords, it's an accesible password, so we can use it for this momente, it's an interesting option to use the scrypt and a less PBKDF2.
Salting is add random characters to the initial password, to make more strong passwords, it's used to evit use rainbow passwords
Level 5 - Cookies and Sessions
Cookies are text files with small pieces of data — like a username and password — that are used to identify your computer as you use a computer network. Specific cookies known as HTTP cookies are used to identify specific users and improve your web browsing experience.
Data stored in a cookie is created by the server upon your connection. This data is labeled with an ID unique to you and your computer.
When the cookie is exchanged between your computer and the network server, the server reads the ID and knows what information to specifically serve to you.
Kaspersky, definition of cookies
For controll cookies and sessions we're going to use:
Documentation- Passport Docu
- Passport local Docu
- Passport local mongoose Docu
- Express Session Docu
- GENERAL PASSPORT ECOSYSTEM GUIDE!!!
Level 6 Third Party OAuth 2.0
FOr this, we're sig in with Google OAuth 2.0
Open Authorization
OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user.
Level 7
.....